Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Great work, cottonball! Now that you're clean, we can perform the last bit of the fix:

SFCFix Script

Warning: this fix is specific to the user in this thread. No one else should follow these instructions as it may cause more harm than good. If you are after assistance, please start a thread of your own.

Warning: this fix is specific to the user in this thread. No one else should follow these instructions as it may cause more harm than good. If you are after assistance, please start a thread of your own.

When you see Command Prompt on the list, right-click on it and select Run as administrator

When command prompt opens, copy and paste the following commands into it, press enter after each

sfc /scannow

Wait for this to finish before you continue

copy %windir%\logs\cbs\cbs.log %userprofile%\Desktop\cbs.txt

This will create a file, cbs.txt on your Desktop. Please attach this to your next post.

I believe we have liftoff!

Looks like SFC /SCANNOW has correctly replaced the infected 550,912 byte version of RPCSS.DLL (which just a moment ago was in C:\Windows\System32) with the new 550,400 byte clean one you provided in the ZIP file going into SFCFix.

I'm attaching the log from the /SCANNOW.

Now... the only remaining item is that there are now TWO copies of the infected version of RPCSS.DLL still living in \Winsxs\Temp\PendingDeletes of the form $$DELETEME.... Previously there was only one. So obviously it is the SFC /SCANNOW which is creating these.

However I myself cannot delete them (access denied). So how are they supposed to get deleted??? I don't want them on my system, as they are the infected versions. Even though HitmanPro long ago (several days ago) removed the crucial activating Registry entries so that these two $$DELETEME versions are harmless, I still want to delete them... as their name suggests was intended.

So, how does one go about deleting them??

Anyway, this long and arduous process does appear to be just about at its true completion once these two $$DELETEME files are finally deleted. They are the only existing copies of the infected RPCSS.DLL remaining on the disk.

Can't thank all of you who contributed anything at all enough. Reps will be given all around!

So we've fixed rpcss.dll; now for the next issue! I suspect this issue will be fixed if you reboot, so reboot your computer and let me know how it goes. This error is a little worrying though, it's unusual for an issue like this to return a fatal (F) error like this:

now for the next issue! I suspect this issue will be fixed if you reboot, so reboot your computer and let me know how it goes.

Well, I re-booted but I don't know what you expect to happen. I had already re-booted previously (following the SFC /SCANNOW) and the results posted reflected that re-boot. And there were still the two $$DELETEME versions of the corrupted RPCSS.DLL still sitting there in \Winsxs\Temp\PendingDeletes, having been created there by SFC but not actually deleted.

So I didn't have any expectations about seeing those two files disappear upon a new re-boot. And in fact they did NOT disappear. They're still there.

So I don't know what else you've described as "the next issue". Is it these two files that don't seem to actually ever get deleted? Or is it some other file?

Also, I ran my own screenshot looking for RPCSS.DLL, posted above. But if you wanted me to run some other scan utility you didn't mention it. So I don't know what you expected me to provide in this reply that would tell you "how it went"?? What log file or other output are you wanting me to generate and post for you to look at, now that I've re-booted?

I'd like to get rid of those two $$DELETEME files, and it sounds like you've seen (in the SFC log) a third file that didn't get deleted either... although I don't know what that file is.

Cottonball, would you mind killing off this folder with FRST please? I'm not sure what permissions are on this folder and it's subfiles, but I'm guessing it will be a little more than a right click > delete and the only tools I know to do a job like this are the malware removal ones, ie tools I'm not allowed to use yet (the fun ones!)

MBAM cannot remove "culprit" access to 5.45.64.145/5.45.69.131

MBAM Team seeks "Bugfixes" and "Features" for new version>>Disclaimer #1: I do not work for Malwarebytes, so please do not shoot the messenger.<<
>>Disclaimer #2: Please submit your feedback directly to the Malwarebytes Team Members in the links provided below, rather than here in this thread (I cannot guarantee that they will see your comments and...

System Security

"access denied" when using "assoc" and "ftype" from cmdline?I tried to associate the file extension .txt to a new editor program
with the well known cmdline programs ASSOC and FTYPE.
No, assigning them through WinExplorer menu does not work.
But this is another problem which should not discussed here.
When I type now one of the following...

General Discussion

Crippling "server is busy" errors on boot, can't find culprit processHello !
It's been a while now that my Windows 7 computer gets a crippling "server is busy" error.
My problem, in a nutshell : I don't manage to identify WHICH process is responsible for this, I also don't know if recognizable patterns are logged as events, or not :(
Description of the...

General Discussion

MBAM Pro settings - how to automatically get "missed updates"?I've been struggling with this problem (clearly must be a settings issue), but cannot seem to figure out what to do in order to avoid the problem symptom. Either that, or it's a program bug (which I will report on the MBAM forum, but I hate to post there because of "attitude").
I would like...

System Security

Firefox culprit for "reduced leading" in PREFS.JS: FLASH PLUGIN!!!As I continued to try and chase down my "reduced leading" problem whenever I visited certain forum web sites and then closed/re-opened Firefox, I carefully compared my PREFS.JS from a "perfect, working" copy vs. what PREFS.JS looked like right after closing the very first Firefox session after...